firstgarden/firstgarden-web-gnu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

Merge branch 'master' of github.com:gnuboard/g5

Browse Source
This commit is contained in:
thisgun
2017-12-27 09:59:37 +09:00
parent a90a38f096 c1e1f64580
commit 5ba5836ecb
3 changed files with 23 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
bbs/logout.php
View File

@ -15,8 +15,12 @@ if ($url) {
$url = 'http:' . $url; $url = 'http:' . $url;
$p = @parse_url(urldecode($url)); $p = @parse_url(urldecode($url));
if ($p['scheme'] || $p['host']) { /*
alert('url에 도메인을 지정할 수 없습니다.'); // OpenRediect 취약점관련, PHP 5.3 이하버전에서는 parse_url 버그가 있음 ( Safflower 님 제보 ) 아래 url 예제
// http://localhost/bbs/logout.php?url=http://sir.kr%23@/
*/
if (preg_match('/^https?:\/\//i', $url) || $p['scheme'] || $p['host']) {
alert('url에 도메인을 지정할 수 없습니다.', G5_URL);
} }
$link = $url; $link = $url;

2
config.php
View File

@ -5,7 +5,7 @@
********************/ ********************/
define('G5_VERSION', '그누보드5'); define('G5_VERSION', '그누보드5');
define('G5_GNUBOARD_VER', '5.2.9.8'); define('G5_GNUBOARD_VER', '5.2.9.8.1');
// 이 상수가 정의되지 않으면 각각의 개별 페이지는 별도로 실행될 수 없음 // 이 상수가 정의되지 않으면 각각의 개별 페이지는 별도로 실행될 수 없음
define('_GNUBOARD_', true); define('_GNUBOARD_', true);

19
plugin/htmlpurifier/extend.video.php
View File

@ -21,11 +21,24 @@ if( !class_exists('HTMLPurifier_Filter_Iframevideo') ){
*/ */
public function preFilter($html, $config, $context) public function preFilter($html, $config, $context)
{ {
$html = preg_replace('#<iframe#i', '<img class="Iframevideo"', $html); if (strstr($html, '<iframe')) {
$html = preg_replace('#</iframe>#i', '</img>', $html); $html = preg_replace_callback('/<iframe.*?src="https?:\/\/www\.youtube\.com\/embed\/([^"]*)[^>]*>(.*?)?\/iframe>/si', array($this, 'trust_url_match'), $html);
$html = preg_replace_callback('/<iframe.*?src="https?:\/\/player\.vimeo.com\/video\/([^"]*)[^>]*>(.*?)?\/iframe>/si', array($this, 'trust_url_match'), $html);
//$html = preg_replace('#<iframe#i', '<img class="Iframevideo"', $html);
//$html = preg_replace('#</iframe>#i', '</img>', $html);
}
return $html; return $html;
} }
public function trust_url_match($matches)
{
$str = $matches[0];
if( $matches[1] ){
$str = preg_replace('#<iframe#i', '<img class="Iframevideo"', $str);
$str = preg_replace('#</iframe>#i', '</img>', $str);
}
return $str;
}
/** /**
* *
* @param string $html * @param string $html
@ -48,7 +61,7 @@ if( !class_exists('HTMLPurifier_Filter_Iframevideo') ){
{ {
// Domain Whitelist // Domain Whitelist
$youTubeMatch = preg_match('#src="https?://www.youtube(-nocookie)?.com/#i', $matches[1]); $youTubeMatch = preg_match('#src="https?://www.youtube(-nocookie)?.com/#i', $matches[1]);
$vimeoMatch = preg_match('#src="http://player.vimeo.com/#i', $matches[1]); $vimeoMatch = preg_match('#src="https?://player.vimeo.com/#i', $matches[1]);
if ($youTubeMatch || $vimeoMatch) { if ($youTubeMatch || $vimeoMatch) {
$extra = ' frameborder="0"'; $extra = ' frameborder="0"';
if ($youTubeMatch) { if ($youTubeMatch) {